Yet Another Mac OS X Protocol Handler Exploit 155
Rosyna writes "Apple just can't get any breaks lately. First the help protocol handler exploit (which has been fixed), then the telnet handler exploit, and now an exploit for any arbitrary protocol handler: make your own, then exploit it. You can auto mount a volume in Mac OS X via the disk, afp, or ftp handlers (and probably others). Paranoid Android will help prevent exploitation until Apple fixes the problem." The hole here is that when a volume with an application on it is mounted, Apple registers the application's specified protocol handlers, without additional user action. Another option is to disable those handlers that allow volume mounting, but playing that game, obviously, isn't a guaranteed win in the long run.
MS influence? (Score:5, Funny)
Re:MS influence? (Score:1, Insightful)
by Anonymous Coward on 11:40 22 May 2004 (#9224915)
What'd they do, hire the security team away from Microsoft?
Troll? Have I too committed a thought crime by considering that post funny?
Re:MS influence? (Score:5, Funny)
Fear Bill G, Fear! (Score:4, Funny)
First, there is al this talk of switching to linux.
And now even the virus writers are starting to pay attention to something else besides windows.
Finally the end is near.
Goodbye Billy...
On the other hand, I do use Mac OS X.
D'Oh...
Re:Fear Bill G, Fear! (Score:3, Insightful)
As an Apple Afficionado, I'm delighted. (Score:5, Insightful)
That said, I'm immensley releived the floodgates to OS X exploitation have finally been thrown open.
Allow me to explain.
Too long Apple users have gloated (senselessley) that OS X is somehow more secure than Windows. This collective delusion has lulled everyone into a false sense of security. Being one of the few who bothers to "secure" his OS X installation, I am often jeered at for being paranoid - uneccesarily so, according to my detractors.
But the truth is that no software sytem is perfect. This is the wake-up call Apple and its users to realise they need to watch out too. I relish this because taking action *now* too purge OS X of its deficiencies will prevent the pitiful scene common to Windows users. I don't want OS X exploited on a daily basis as happens with Windows. I want OS X to be secure!
There will be much displeasure in the short-term, but that which does not kill us only makes us stronger.
Re:As an Apple Afficionado, I'm delighted. (Score:3, Insightful)
But I would still claim that OSX's security is better than XP's
Re:As an Apple Afficionado, I'm delighted. (Score:5, Insightful)
I just hope, as you say that it will shut the Mac fans up about their "immune OS that will never suffer from security holes as windows does". Guess what, it will - and has.
Elegant troll (Score:2, Funny)
Re:As an Apple Afficionado, I'm delighted. (Score:2)
See what happened to Intego when they spoke about a possible exploit and with a simple demo it was possible.
The amazing is, there is a glitch actually in finder COULD BE used to do evil things but that company only showed (with demo) that its possible. They were labeled everything. Including coding viruses to sell their products.
When a real virus ships for OS X coded by some lamer believe it will be big dea
Re:As an Apple Afficionado, I'm delighted. (Score:3, Interesting)
Yes this is a vulnerability. Yes it is bad. But a virus program would not protect you from this without altering the way that your system runs.
Does this need to be fixed? yes it does, but anti-virus software for OSX is still snake oil.
Re:As an Apple Afficionado, I'm delighted. (Score:3, Informative)
As a tradition on every computer I bought since Amiga 500, I buy a antivirus.
I bought this G5, converting from PC at November 2003, checking my receipts, I bought the Intego virusbarrier 10 days later after seeing Virex and Norton are pure crap. Also I have special feelings about Mcafee and Symantec from windows days
I agree to your post but... Remembering back in the day how damn DASA (one of first amiga viruses) effected me, I decided to carry on my tr
Re:As an Apple Afficionado, I'm delighted. (Score:2)
Right now buying and installing anti-virus software for OS X is like buying flood insurance in the Rockies. Until it actually happens or is needed, it seems like a horrible waste of money and resources.
Re:As an Apple Afficionado, I'm delighted. (Score:3, Insightful)
Re:As an Apple Afficionado, I'm delighted. (Score:5, Interesting)
Too long Apple users have gloated (senselessley) that OS X is somehow more secure than Windows
So something is either completely secure (along the lines of OpenBSD), or it is as open as Windows. And there is no middle ground there?
Even with the current exploits, OS X is still significantly more secure than most Windows installs.
Yes, I agree that OS X users need to take precautions and not just rely on the security of their machine. Even then, though, you can tell someone deciding between OS X and Windows "If you are reasonable careful on both platforms, you are still less likely to have problems with OS X, due to its security already in place."
Re:As an Apple Afficionado, I'm delighted. (Score:2)
It is in my code.
Re:As an Apple Afficionado, I'm delighted. (Score:5, Insightful)
Windows has had so many exploits that I can't even keep track. One exploit, not even a root exploit (a very important distinction) does not make OSX as vulnerable as Windows. There still are no worms, no viruses attributed to OSX.
Yes this was due. It was going to happen. But OSX is still infinitely more secure than windows and more than likely always will be. Lets not fly off half-cocked and make wild statements like this.
Re:As an Apple Afficionado, I'm delighted. (Score:1, Funny)
Well, to be fair, they are on the same planet.
Re:As an Apple Afficionado, I'm delighted. (Score:2, Insightful)
In general, there's two types of security issues:
(1) Implemenation issues -- eg buffer overflows in MSRPC or OpenSSH or Outlook MIME parsing.
(2) Design issues -- such as auto-installing ActiveX, HTML preview that automatically runs scripts, and so on. These are the typical Microsoftish Ease-Versus-Security issues.
Windows has hit hard by both, so it's easy to confuse the two.
The thing is, Apple really isn't better at #
Re:As an Apple Afficionado, I'm delighted. (Score:5, Insightful)
I am not saying that OS X is perfect. Far from it, I am a programmer myself and I understand the realities of software design. However based on track records alone, OS X is far ahead of even the most current windows implementation. How many exploits are there that auto install software on OS X? None. How many worms are there for OS X? None. How many pieces of auto-installing spyware are there for OS X? None. How many viruses? None. OS X IS more secure that windows. It's not perfect but I will put my money behind the security in OS X any day.
In any event, it was completely expected that the Windows zealots would come out of the woodwork as soon as the first vulnerability was found in OS X. Now it begins. We will see plenty of zealots crying how no operating system is safe. Guess what, windows is still a poorly written piece of garbage and no amount of throwing mud (or fud) is going to change that.
Re:As an Apple Afficionado, I'm delighted. (Score:1)
(Also, just offhand, I've never known a 'Windows Zealot' to give a flying fuck about Macs. Microsoft seems to be frying other fish
Re:As an Apple Afficionado, I'm delighted. (Score:5, Insightful)
Granted this is dumbing down the details by a HUGE amount but the point is still there. Microsoft software does not have the most worms/viruses/etc because it has the most market share, it has the most worms/viruses/etc because it is the most poorly written. Granted, if their market share was zero, then obviously the exploits would not be big news, but the clear point that is made is that if OS X were as vulnerable as Windows we would be seeing worms and viruses. The fact that there are none reported goes a long way to show the strength of the operating system.
BTW you could easily replace OS X with BSD, Linux in this statement and the statement still holds true. Software written with security in mind is clearly more secure. Windows was clearly not written with security in mind.
Re:As an Apple Afficionado, I'm delighted. (Score:2)
However a quick google turns up at least 36 known viruses/worms that attach IIS. Here [viruslist.com] is a link to a small list.
The market share of the operating system has little bearing on the number of exploits the system has. That is a false myth that has been going around the net for years. Not sure who started it but it is clearly false.
Re:As an Apple Afficionado, I'm delighted. (Score:1)
Re:As an Apple Afficionado, I'm delighted. (Score:3, Funny)
bra veau!
Re:As an Apple Afficionado, I'm delighted. (Score:5, Insightful)
I agree with your sentiment--I want a secure system, and seeing it challenged early will help it be so. But the fact of the matter is that OSX ships by default many degrees of magnitude more secure than Windows does.
Yes, this has resulted in some unnecessary gloating from Macheads, and it makes folks lazy with their security--that's unfortunate. But that doesn't diminish the security successes Apple's had with OS X.
Re:As an Apple Afficionado, I'm delighted. (Score:1)
This is a Launch Services exploit (Score:5, Interesting)
Also uses meta-refresh (Score:5, Interesting)
Re:Also uses meta-refresh (Score:5, Insightful)
Re:Also uses meta-refresh (Score:2, Insightful)
If you want to be fair about it, to become a security risk, it would have to have access to something.
As far as the dmg thing goes, a mounted dmg shows up on your desktop right away, A screen pops up showing it mounting, etc... There's no missing what is going on by even the simplest mac us
Re:Also uses meta-refresh (Score:5, Informative)
Using this technique, an attacker can cause a disk image to open on your machine, the OS will then faithfully install any arbitrary URL handlers that applications on that disk image say they can handle (for example a deletefile: URL handler), then the same website can forward you to a deletefile://~ URL, thus deleting your home directory.
While it would be easy to tell that the web site is opening a disk image, and the application it starts would probably appear in the Dock, it doesn't make it easy to prevent the Application on the disk image from being executed using this method.
Re:This is a Launch Services exploit (Score:2)
Re:This is a Launch Services exploit (Score:5, Interesting)
I would like to Apple to add a mandatory confirmation dialogue with warnings about possible security risks from mounting images from untrusted sources on any attempt to mount a disk image from the internet.
This would give the user ample warning and a chance to prevent the exploit.
Another alternative would be to do the above and include the option in the security prefs pane to enable/disable mounting of internet disk images.
Re:This is a Launch Services exploit (Score:2)
Destroying the registration feature is not the answer.
Exploit doesn't effect Mozilla (Score:1, Interesting)
Re:Exploit doesn't effect Mozilla (Score:1, Interesting)
The Paranoid Android whitepaper mentions that that turning off various schemes like disk, afp, ftp, isn't a good solution, but since Paranoid Android won't install for 10.2.8 (I tried), for now, it seems to be the only solution for me; I use RCDefaultApp to disable those schemes. Anyone got a way to turn off this custom URL scheme business for 10.2
Re:Exploit doesn't effect Mozilla (Score:1)
It just works! (Score:5, Insightful)
Re:It just works! (Score:1)
Resetting "help:" to Help Viewer (Score:5, Informative)
Fire up MisFox again and update the help protocol helper to /System/Library/CoreServices/Help Viewer.app
How this hole was discovered (Score:5, Informative)
Re:How this hole was discovered (Score:2)
Re:How this hole was discovered (Score:5, Insightful)
I'm a bit amazed on how well the Mac community have co-operated in finding these security flaws. Even though the flaws are always bad things, this just shows how strong the community actually is. And it sure feels good to be a part of it.
Re:How this hole was discovered (Score:5, Insightful)
It does, but it also shows the importance of community. This is one thing that I feel should be taken into account when creating a product. If you can create a community around your product then people will dicuss what they like, what they don't like and generally people will talk about your product. All this needs be, to start with, is a help forum will provision for generalised discussion. If people are part of the community then they are likely to help push the product.
Re:How this hole was discovered (Score:1)
But when people 0-day this stuff then it is suddenly okay and we don't mind it's protecting the users, yay for community!
Good for these folks for working towards the bottom of all this stuff though. Yet another case of automagically changing settings to make life "eas
Re:How this hole was discovered (Score:3, Insightful)
Slashdot is not one person. Therefore there will be different opinions about things.
I'm not usually for releasing vulnerabilities directly into the public, but this makes an exception. The findings of these new vulnerabilities are results of one conclusion after an other. In the end: does it matter if the final announcement is posted if you can read it between the lines from the earlier posts yourse
Re:How this hole was discovered (Score:1, Funny)
It's not? But... but... I felt like we were really making a connection. I thought I was in love. *sob!* :'(
Re:How this hole was discovered (Score:2)
Re:How this hole was discovered (Score:2)
Only 10.3? Weak (Score:1, Offtopic)
Re:Only 10.3? Weak (Score:2, Informative)
Re:Only 10.3? Weak (Score:1)
Requires Mac OS X 10.2 or newer
If you've got such a problem with it not supporting 10.1.x, maybe you should write your own. And give it away for free, of course.
Same thing (Score:4, Informative)
1) Disable automount of downloaded files in Safari.
2) Install the security update
3) Disable telnet: disk: and disks: protocols
That's it. No web page can exploit this arbitrary protocol problem if you do step 1 above. Step 2 fixes the help: issue, and step 3 fixes all other known issues.
Why does this warrant 4 stories in 4 days? Are all the Windows weenies just that thrilled that there is an exploit on OSX?
Re:Same thing (Score:2, Informative)
See http://ozwix.dk/OpnAppFixer/testit.html for an example using ftp. The page isn't automated, so just click the ftp-link first, then "step 3".
Re:Same thing (Score:5, Informative)
That's it. No web page can exploit this arbitrary protocol problem if you do step 1 above. Step 2 fixes the help: issue, and step 3 fixes all other known issues.
Why does this warrant 4 stories in 4 days?
It warranted 4 stories in 4 days because people like you misunderstand the problem.
Step 1 doesn't fix anything.. disk: ftp: afp: protocols still allow automounting of volumes from a webpage.
Step 2 fixes help and telnet, but those aren't the whole issue.
Step 3 is a step in the right direction, but you'll also need to disable ftp: and afp: since they both can be used in the same way.
Disabling ftp means you can't open any ftp volumes without jumping through hoops. I always thought it was stupid that safari didn't handle ftp directly though.
The solution isn't an easy one, and Apple is going to have to do something that MS and Linux have dealt with in the past... sacrifice ease-of-use for security.
Maybe I'm missing something (Score:2)
Re:Maybe I'm missing something (Score:5, Informative)
Re:Maybe I'm missing something (Score:5, Informative)
I'm a Mac owner. I've owned nothing but Apple computers, first an Apple IIGS then a series of Macs. I love them, and I think Apple is great. But that doesn't prevent me from facing reality.
The fact is, it doesn't matter if "only" your user account is compromised, and root remains secure. What can a trojan possibly do to your computer that you don't want it to do? It can delete files, spy on you, and proxy spam or other malicious network connections. It can do all of this with "only" your user account. You don't have to be root to proxy anything. You don't have to be root to run a keylogger or run a heuristic that greps for credit card numbers. You don't have to be root to trash all of the files in your home directory, which should be the only ones you care about. Who cares if the trojan can't trash the stuff in
The unix permissions model is great on multiuser systems, but on a home desktop it really just doesn't help that much. It's nice, but it fails to protect that which I care most about.
Re:Maybe I'm missing something (Score:2)
Re:Maybe I'm missing something (Score:4, Informative)
A trojan program is one thing.
These exploits will, with one single click on a link somewhere in a browser, download an attacker's code and then run that code automatically.
There's a big difference between being sent an app or downloading it, then running it in a separate action, and "click this link to see a photo of my cat" then within seconds have an attacker's code wiping all files you have permission to run.
As is, a default OSX install is vulnerable to a malicious link in someone's slashdot
This is no news (Score:1)
Much Ado About Not Much... (Score:5, Interesting)
Ive written a sample exploit that delivers and executes its payload without user intervention and operates by registering its own URL scheme handler. Until Paranoid Android [unsanity.com], there was no way of protecting against this attack, which freaked me out enough to write Paranoid Android [unsanity.com].:)
If you click the sample exploit link below, heres what will happen:
Because this sample exploit registers its own URL scheme, none of the methods people had been using involving disabling certain scripts, moving Help.app or changing the 'help' URL scheme would protect against it. At this time, only Paranoid Android [unsanity.com] provides protection from it.
benign sample exploit -->innocousPage.html [geekspiff.com]
Portions of this sample exploit are based heavily on a prior sample exploit at insecure.ws [insecure.ws] Conclusions
Until Apple fixes this vulnerability, you should install Paranoid Android [unsanity.com] and surf safely.
Copyright Jason Harris, 2004, All Rights Reserved
I'm using 10.3.3 and when I click on the sample exploit URI, nothing happens -- nothing. I've tried this thing 10+ times, scoured my HD for "owned.txt" and can find nothing. Of course, I installed the RCDefaultApp PreferencePane a couple of days ago and had already followed the suggestions posted by John Gruber on http://daringfireball.net but since Paranoid Android is the ONLY thing that can protect against this exploit, I'm at a loss as to explain why my machines aren't affected.Re:Much Ado About Not Much... (Score:5, Informative)
Try one of these if you are so confident this is a PR stunt: http://ozwix.dk/OpnAppFixer/testit.html
Re:Much Ado About Not Much... (Score:1)
Mac OSX users (not the old school ones remembering os 7-8-9) thinks their Mac is at NSA terminal level security, its the biggest threat to mac security itself!
Re:Much Ado About Not Much... (Score:1)
Nothing new here. I clicked on every link on the page and the only thing I got was a copy of "Test.dmg" in my Downloads folder after clicking http://ozwicx.dk/OpnAppFixer/Test.dmg (the second link on the page), which of course I did not mount.
I'm not debating whether or not this is a real security issue -- it is evident that it is. What I'm debating is whether or not Paranoid Android is the only way to protect oneself from it as is claimed on the Unsanity web site. It is not, and thus I'm still b
Re:Much Ado About Not Much... (Score:1)
I'm at a loss as to explain why my machines aren't affected.
Since you've already disabled the "disk:" protocol, the image isn't mounted and thus the sample exploit is not working for you. This does not mean that you are safe against "ftp:" and "afp:" exploits unless you've disabled those protocols as well. You can hunt and disable every such protocol and still not be sure you've gotten them all, or you can just use PA to get yourself a little warning for every URL scheme save those that are "trusted.
I also cannot get it to work (Score:2)
Fixing without losing the functionality? (Score:4, Interesting)
I had thought about requiring applications to be signed, and non-signed applications requiring extra permission, but since this issue is likey to arise from unsigned applications that the user would accept anyhow, would we just be gaining a false sense of security?
I would be curious to read your ideas.
Re:Fixing without losing the functionality? (Score:2)
To me this seems to be the cleanest solution. No pop-up windows warning you of dire consequences (ala windows crap) just a simple can't execute this from here chance to the protocol handlers.
Not my idea but I think it is the cleanest and most eleg
Re:Fixing without losing the functionality? (Score:4, Informative)
That's a really bad idea. This problem is easy to fix without losing functionality, or doing something stupid like disallowing execution on mounted disk images. The reason that's stupid is because this doesn't affect only 'disk:' mounted images: it affects afp, ftp, smb, webdav, nfs, and any method of mounting a volume. It's also really stupid because pretty much every single installer under the sun runs from a disk image. Having to copy it off first to even run it is a really, really, really bad idea because it would break the whole idea of disk images in the first place.
Fortunately, there's a simple fix: instead of letting registration of arbitrary handlers happen by LaunchServices *before* an application is even launched - which is the key to this exploit - Apple should only allow registration after an application is launched. This would require actual user interaction to specifically launch an application. That alone would protect against this exploit.
Re:Fixing without losing the functionality? (Score:4, Interesting)
Trying to do one blanket change to fix everything is not the right answer in my opinion. The built-in protocols need to be looked at but sandboxing disk:// mounted images would solve the issue of maliciously created protocol handlers.
I have tested a lot of software on my OSX machine and I do not recall anyone ever using the disk:// protocol for an installer.
Forcing the user to launch an application just to register it's handlers would put a serious dent in the way that OSX handles applications. Personally that is a piece of functionality I would rather not lose.
Re:Fixing without losing the functionality? (Score:4, Interesting)
Ok, but this still won't work, because disk:// isn't the only thing affected. The exploit can affect ANY type of network mounted volume: afp, smb, ftp, webdav, nfs, etc. Are you telling me that you shouldn't be able to execute anything from ANY network volume? That would break loads of things. (And also, even though the disk:-mounted-images-in-a-sandbox idea is invalidated because of this, just because you have never used disk: doesn't mean other don't.)
Therefore, consider a slightly scaled back version of my previous suggestion:
Don't allow URL/URI helpers to automatically register before execution of the application from network mounted volumes. I don't really see any other way to solve this. To reiterate: just making disk: mounted images non-executable sandboxes DOES NOT solve this problem; you'd have to make ALL network volumes non-executable sandboxes, and that simply will not work. If URL/URI helpers are disallowed from registering automatically from network volumes only, the problem is solved: this exploit is killed, but any apps on local volumes are allowed to register as usual.
Re:Fixing without losing the functionality? (Score:2)
It's a tricky question. Functionality may indeed break in many cases. In that sense requiring password is not a bad idea. It can't however be the admin password as you suggested, because that would prevent different users from having different default applications for mail, http etc.
A message box asking if the application should be registered as the default application for a protocol would be the best I can currently think of right now. Protocol handlers should also not be automatically searched from a mo
Exploit doesn't work for me (Score:2)
Running 10.2.8 (updated as of yesterday's fix from Apple) I can't get the .dmg file to even download when clicking on the example [geekspiff.com] exploit. I get the following error message:
Did Apple's fix take care of this or is the exploit no longer available?Re:Exploit doesn't work for me (Score:2)
He mentioned that there was "anecdotal evidence" that users of Jaguar (10.2.x) are not affected by this vulnerability. Maybe it's a good thing we h
More Shoes (Score:3, Interesting)
Can't trojans that get onto Macs turn into bona-fide worms, distributing themselves via Address Book and HTML e-mail that does the 'disk://' download?
Re:More Shoes (Score:5, Interesting)
Theoretically yes.
It's certainly possible to click on a link and have it run code that emails everyone in your address books with a mail that also has that same link in it. That would spread the link to many other people, many of whom would click on it.
However as yet the code only runs in userland and can stay executing no longer than a current session. rebooting will kill it and it won't come back unless clicked again. Because of that its ability to drop a payload that will be useful later to intrude on the machine is limited.
Re:More Shoes (Score:1)
The workarounds available at the moment (Score:5, Informative)
1. The best is Paranoid Android linked to in the article itself. PA itself uses the APE kernel extension from Unsanity, however, and some people have reported problems with this.
2. Another method is to use Internet Exploere, MisFox or MoreInternet to set the following protocol helpers which can mount volumes, to point to an innocuous application, such as Chess.
fpt:
afp:
disk:
disks:
3. In a public environment where there are some automatcially mounted network shares such as in a university, school or company, you would also have to take into account protocols such as:
nfs:
webdav:
smb:
cifs:
but these are less likey to be used in conjunction with this vulnerability as it would be more difficult to get one of these users to simultaneously go to a webpage that exploits this.
Re:The workarounds available at the moment (Score:2, Interesting)
applescript://
launched the Script Editor. I was unable to use other applications unless I quit the Script Editor.
Adding protocol handlers should require admin (Score:1)
little snitch (Score:1)
the Snitch [obdev.at] seems to block bogus protocol handlers. as long as LS queries you about the "diskimages-handler", the connection can be blocked, and the image fails to mount. camino gives me "malware is not a registered protocol"
but fo
The reaction of my friends (Score:5, Funny)
Paranoid Android -- 1.0, not 1.1!! (Score:4, Informative)
While Paranoid Android 1.1 is better than nothing, it allows some exploits to slip through. Basically, it allows ftp links to mount in the Finder. Once this is done, the Finder will register any URL handlers present. That can include URL handlers that Paranoid Android trusts.
All of this is even after the 5-24 security update is installed, of course.
Apple really need to do something about Launch Services. I think the best bet would be to mark newly discovered URL schemes as untrusted. When the user tries to run an untrusted scheme for the first time, warn them about it.
Not only with disk images... (Score:1)
This is how I think Apple could solve this:
When an application first is detected, all its URL schemes is un-flagged. The first time the user launches that app, they get flagged, and can be used freely.
If the user (or the exploit!) tries t
Re:Not only with disk images... (Score:2, Insightful)
I do not have any better solution, but as the sky is overcast today I'm gonna complain about yours anyhow.
You are not alone in suggesting that the user should confirm what should happen in a dialog/pop-up/what-not. The problems are
a) There are too many clueless users out there, who have no idea of what they are doing.
b) Even if you are f
Re:Not only with disk images... (Score:1)
Okay, fair enough. Then instead of displaying a dialog box, let's disable the URL schemes completely until the first launch of the app.
Re:Not only with disk images... (Score:1)
I like that! In other words: MacOS X will be the safest system in the world until you actually start using it.
"Yet another?" (Score:2, Funny)
Nice freakin' headline.
Little Snitch (Score:2, Interesting)
Anyone surfing without an application sensitive firewall should catch a clue.
The first time Mozilla tried to mount a sample exploit
Granted, your run of the mill user would likely click through allowing the mount, but they would probably do the same with Paranoid Android, and LS covers all applications trying to establish external connections, a real plus in todays wired wor
My experience trying this on Jaguar (10.2.8) (Score:4, Informative)
Mac OS/X 10.2.8, with all services turned off and the firewall turned on, denying everything, and all Directory Access protocols turned off (what can I say, I'm a little paranoid). I also have a hardware firewall between my laptop and my cable modem. Belt and suspenders, right?
I don't use Safari because it doesn't seem to be too stable on my machine for some reason (gypsy curse?). If I install it, it crashes on some of the sites I visit (I think this is a Java issue of some kind). So I deleted it.
For a browser, I generally use Mozilla 1.6, although I like to play with Firefox and Camino, too. I'll probably switch to Firefox permanantly when they get past the 1.0 hurdle. In my browsers, I have killed most of the plugin handlers except for the obvious ones, like mp3 and so on. Plus, I'm sadistic about popup windows and cookies.
OK, enough introduction.
I tried the vulnerability links on the site, and they didn't work on my system. The first link produced an error message claiming a "type 2" error, then a popup which said that the protocol in use was not a registered protocol. The second link didn't produce an error, but it did produce the registered protocol warning. Neither link resulted in a file being saved to my machine, or indeed any other visible effect.
Note that the website did mention that users of Jaguar might not be vulnerable, and that there was anecdocal evidence for this. So, let me add my anecdote to the collection of anecdotes already present, and say that if you're running a similar setup to mine, you might be alright.
-Phil
Not a bug, but a misfeature (Score:2, Interesting)
Re:Rather simple WWW fix? (Score:2)
Re:Rather simple WWW fix? (Score:4, Informative)
Doesn't stop images being mounted using disk:// as a protocol. i.e. disk://malware.somwhere.com/own3d.dmg
No one should be using that option.
It's on by default so game over. Not needed for this or new similar exploits to work anyway.
Re:Rather simple WWW fix? (Score:2)
Re:Rather simple WWW fix? (Score:2)
But that doesn't actually stop the automatic mounting of disk images in this case. That's part of the exploit.
Re:Alright (Score:5, Interesting)
Hmmm...Never. I have had Safari automount more disk images than I can count. Some of them have a EULA auto pop-up but never have I seen one run the installer automatically. If that were to happen, we would have seen a trojan on OSX a lot sooner.
Re:you make it sound... (Score:4, Informative)
I'm not a mindless Apple apologist. This current set of URI handler vulnerabilities is horrendous and I'm pissed. Thankfully this is the exception rather than the rule... at least to date.
Re:you make it sound... (Score:3, Interesting)
Both the statement and the reasoning are wrong. Security is a property of the whole system, not something you can implement at one level and then forget about it. The existence of all the stuff that Apple adds on top of a UNIX-like base system (the user interface, Netinfo, fancy file abstractions, NeXTStep libraries